Waking Shark in second attack on UK banks

The attack has been ordered by The Treasury and Bank of England to stress-test the security and resilience of the UK's banking and online payments system, which transfers trillions of pounds a day.

The exercise will take place on an unspecified date in mid-November and is likely to involve the major high-street banks, Tier 2 and online banks like the Co-op, Virgin Money and Tesco Bank, the stock market and the big credit and debit card providers, Visa, MasterCard and American Express.

It follows last week's news that the Bank of England wants the UK's major banks to put in place a credible cyber attack plan within six months, and deliver a progress report on their cyber security by November.

PA Consulting banking expert Daniel Meere explained the logic for Waking Shark 2: “It's fine to have a plan - but if it's never been tested, then how much confidence can you actually draw from it? It's one thing to submit a report, it's another thing to have a plan that's been robustly tested.”

He thinks the war-game exercise “will be as lifelike as possible” and will enable the banks and credit card companies to test their defences and draw insights. He also believes the simulation is unlikely to risk using live customer data or to take any bank's systems offline.

The focus of the stress-test is likely to be the banks' biggest area of vulnerability – their mobile and online payments systems, Meere said.

“Banks nowadays are processing far more online and mobile transactions than they ever were, so the likelihood of any instance of fraud or any threat to their security is likely to come through that channel, rather than some sort of breach in a branch."

Meere added: “You're saying what if someone tried to bring down the banking system or what if someone tried to disable payments for a period of time, either because they wanted to cause havoc or because they wanted to send a message? So it's not necessarily because they want to commit fraud, it might be because there's a political motivation.”

The name ‘Waking Shark 2' derives from an original test of the electronic banking system two years ago, Waking Shark.

The latest test marks an attempt by the Bank of England, under new Governor Mark Carney, to show it is providing proper oversight and assurance around what's going on in the financial services industry, Daniel Meere said.

He added: “You've got a massive shift towards online and mobile banking which is only getting greater and so more transactions are happening there therefore more value is stored up in those channels, therefore if a threat materialises in those channels it's going to be more substantial.”

“The sorts of threats that they're needing to mitigate against are a completely different set to the ones that the regulation was designed to stop maybe 10 years ago.”

The theft earlier this year of £1.3 million from a Barclays Bank branch in London using a KVM (keyboard video mouse) device was a much more isolated and individual threat, Meere added.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.